Pulp uses /etc/pki/content/{issuer hash}.r0 for CRL. This commit set puppet
module to save Candlpin CRL to this path so that revoced certificated can't be
used to access protected repo later.
When testing this feature, it's good to set this in /etc/candlepin/candlepin.conf:
pinsetter.org.fedoraproject.candlepin.pinsetter.tasks.CertificateRevocationListTask.schedule = 0 * * * * ?
The CRL is generated by a scheduled job, which is run at noon by default. The
setting above set's it to regenerate it every minute so that it can be tested
easier.